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We claim: 

1 . A user authentication service for a comnuinication network, comprising: 

means for accepting and storing, as entries for particular users, user identification 
information; 

means for accepting log-in responses entered on an end system, said system 
associated with a LAN interface in said network; 

means for comparing for a matcn the accepted log-in responses with the stored 
user identification information; and 

means for establishing networW connectivity^eiUhe sytem if a match is found. 

2. The user authentication service accordig£ to claiii 1, wherein said LAN interface 
is operative for communicating with? said system in a LAM media type. 

3. The user authentication service according to ^m2, wherein said LAN media 
type is Ethernet or Token Ring. 

4. A user authentication service for a cbmfnunication network, comprising: 
means for accepting and storing, as associated entries for particular users, user 

identification information and lists of network resources, said lists defining sets of 
resources operative in said network; 

means for accepting log-in responses entered on an end system in said network; 

means for comparing for a match the accepted log-in responses with the stored 
user identification information; and 

means for establishing connectivity between the system and the defined set of 
resources associated with the matching user identification information. 
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5 5. The user authentication service according to claim 4, wherein said lists of network 
resources include identifiers of one or more virtual local area networks. 

6. A user authentication service for a communication network, comprising: 

means for accepting and storing, as associated entries for particular users, user 
identification information, time restrictions and lists of network resources, said time 
10 restrictions defining an access period, saip lists defining sets of resources operative in 
said network; 

means for accepting log-in responses entered on an end system in said network; 
means for comparing for a matclj the accept^ctto^-in responses with the stored 
user identification information; 
15 means for establishing connectivity betWeen the s#kem and the defined set of 

resources associated with the matching user fldentification\information, for the defined 
access period associated with the matching user identification infcnnatio^ 

7. The user authentication service according to claim 6, wherein said lists of network 
resources include identifiers of one ot more virtual local area networks. 

20 8. A user authentication service for a communication network, comprising: 

means for accepting and scoring, as associated entries for particular users, user 
identification information, lists /of network resources and enhanced authentication 
information, said lists defining sits of resources operative in said network, said enhanced 
authentication information identifying an enhanced authentication server operative in said 

25 network; 



means for accepting lof 



in responses entered on an end system in said network; 



25 



100/005 



means for comparing for a match the accepted log-in responses with the stored 
user identification information; 

means for conducting an enhanced authentication session between the system and 
the identified enhanced authentication server /associated with the matching user 
identification information; and 

means for establishing connectivity between the system and the defined set of 
resources associated with the matching user/identification information, if the enhanced 
authentication session is successfully completed. 

9. The user authentication service ac/ording to claim 8, wherein said lists of network 
resources include identifiers of one or more virtual locaKarea networks. 

10. A communication network providing i^ser authentication services, comprising: 
n intelligent edge devicesywhere n is a positive integer; 

an end system assorted with jfcach devi9fe\said system havin g means for 
communicating with said device; 

a network management station, said station having means for communicating with 
said device; 

means on iaid device for accepting log-in responses from said system and 
communicating the accepted log-in responses to said station; 

means/on said station for comparing for a match the accepted log-in responses 
with user identification information stored on said station; 

means on said station for retrieving authorized connectivity information 
associated! with user identification information which matches the accepted log-in 
responsesiand 
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means on said station for communicating the retrieved authorized connectivity 

I 

information to said device. J 

11. The communication network according to claim 10, further comprising means for 
accepting and storing, as associated entries, user identification information and 
authorized connectivity information for particular users. 

12. The communication network according to claim 11, wherein said authorized 
connectivity information defines a set of resources operative within said network. 

13. The communication network according to claim 10, wherein said authorized 
connectivity information includes identifiers of one or more visual local area networks. 

14. The communication network dbcording to claiid 10, wfterein said authorized 
connectivity information defines a setf of resources operative within said network and 



time restrictions. 



15. The communication network Recording to claiqi lJ^'fiirtHfcr comprising means on 
said device for using the communicated authorized connectivity informafiOirte-establish 
and implement forwarding and filtering rules for packets transmitted to and from said 
system. 

16. The communication netwepe according to claim 10, further comprising means on 
said station for generating and /storing user tracking information, said user tracking 
information including information relating to a single log-in attempt. 

17. The communication network according to claim 16, wherein said user tracking 
information includes user identification information and information relating to the 
location of said system within s?id network. 
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18. The communication network according to claim 10, wherein said station and said 
device further include means for establishing and communicating over a secure 
connection. 

19. The communication network according to claim 18, wherein said secure 
connection is established through the exchange of authentication keys. 

20. The communication network according to claim 18, wherein encrypted flows are 
used in the establishment of said secure connection. 

21. A communication network providing user authentication services, comprising: 
n intelligent edge devices, where n is a positive integer; 

an end system associated/ with each cjevice, said system having means for 
communicating with said device; 

an authentication server, £aid server having me^\fai^cQi^ with said 

device; / V / 

means on said devicef for accepting log-in responses from said system and 
communicating the accepted rog-in responses to said server; 

means on said server for comparing for a match the accepted log-in responses 
with user identification information stored in said network; 

means on said server for retrieving authorized connectivity information associated 
with user identification information which matches the accepted log-in responses; and 

means on said server for communicating the retrieved authorized connectivity 
information to said device. 
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22. The communication network according to claim 21, further comprising means for 
accepting and storing, as associated entries, u^er identification information and 
authorized connectivity information for particular users. 

23. The communication network according /to claim 21, wherein said authorized 
connectivity information defines a set of resoundes operative within said network. 

24. The communication network according to claim 21, wherein said authorized 
connectivity information include identifiersrof one or more virtual local area networks. 

25. The communication network according to claim 21, wherein said authorized 
connectivity information defines a set of resources operative within said network and 
time restrictions. 

26. The communication network according p claim 2i, further comprising means on 
said device for using the commfdnicated autl^rized connectivity information to establish 
and implement 
system. 

27. The communication network according to claim 21, further comprising means in 
said network for generating and storing user tracking information, said user tracking 
information including information relating to a single log-in attempt. 

28. The communication network according to claim 27, wherein said user tracking 
information includes user identification information and information relating to the 
location of saia system within said network. 

29. The secure communication network according to claim 21, wherein said server 
and said device further include means for establishing and communicating over a secure 



>nnectivity lniorms 
_ _ Jl^ts^to^ 



connection 
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30. The secure communication network according to claim 29, wherein said secure 
connection is established through the exchange of authentication keys. 

31. The secure communication network according to claim 29, wherein encrypted 
flows are used in the establishment of said securt connection. 

32. A method for authenticating prospective users of a communication network, 
10 comprising: 

(a) accepting and storing, as /associated entries for particular users, user 
identification information and lists of network resources, said lists defining sets of 
resources operative in said network; 

(b) accepting log-in responses on an end systenj/ftTsajd network; 

(c) comparing for a imftch the accepted ljjg-in responses with the stored user 
identification information; and 

(d) if a match is/found, establishing cpnnecuwty/tejween said systern^and the 
defined set of resources/associated with the matching user identificationinformation. 
33. A method for authenticating prospective users of a communication network, 

20 comprising: 

(a) accepting and storing, as associated entries for particular users, user 
identification yinformation, time restrictions and lists of network resources, said time 
restrictions defining authorized times, said lists defining sets of resources operative in 
said network; 

(m accepting log-in responses on an end system in said network during a log-in 
attempt;/ 
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(c) comparing for a user matcjh the accepted log-in responses with the stored user 
identification information; 

(d) upon finding a user mat^h, comparing for a time match the defined authorized 
times associated with the matching user identification information with the time of the 
log-in attempt; 

(e) upon finding a time mttch, establishing connectivity between said system and 
the defined set of resources associated with the matching user identification information 
for the defined authorized time associated with th6 mat&iing user identification 
information. 

34. A method for authenticating prospective /users of a ^communication network, 
comprising: 

(a) accepting and koring, as associated eitoies for particular-users, user 
identification information, lists of network resources and enhanced authentication 
information, said lists defining sets of resources operative in said network, said enhanced 
authentication information identifying an enhanced authentication server operative in said 
network; 

(b) accepting log-iii responses on an end system in said network; 

(c) comparing for a match the accepted log-in responses with the stored user 
identification information; 

(d) if a match is f >und, conducting an enhanced authentication method between 
said system and the identified enhanced authentication server identified associated with 



the matching user identification information; and 
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5 (e) if the enhanced authentication method is successfully completed, establishing 

connectivity between said system and the ddfined set of resources associated with the 
matching user identification information. 
35. An authentication agent for a nptwork-based user authentication service, 



0 



comprising: 

means for receiving log-in responds from an end system; 
means for communicating said log-in responses to an authentication server; 
means for receiving authorized connectivity information from said authentication 
server in response to said log-in responses; and 

means for communicating said authorized connectivity information to a 
5 processing means, said processing means operative for establishing network connectivity 
rules for said system using smd authorized connectivity information. 

36. The authenticatioi/agent according to claim 35, further comprising: 
means for receiving user status info/mation fro# said authentication server in 

response to said log-in responses; and 

means for ^ommunicating said user status inrormation to said system. 

37. The authentication agent according to claim 35, further comprising means for 
establishing a secure connection for communicating with said authentication server. 

38. The authentication agent according to claim 37, wherein said secure connection is 
established tnrough the exchange of authentication keys. 

39. Thef authentication agent according to claim 35, further comprising means for 
terminating connectivity with said system after a configurable number of failed log-in 
attempts. 
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40. The authentication agent according to claim 35, wherein said authorized 
connectivity information includes tirAe restrictions defining an access period, and 
wherein said processing means is (Operative for abolishing the established network 
connectivity rules if said access period expires. 

41. The authentication agent according to claim IS^wherein said processing means is 
operative for abolishing the established netw/frk connectivity rules if said system 
becomes disconnected from the network. 

42. The authentication agen/ according to|claim 35j(wherein said processing means is 



operative for abolishing the established networifconnectivity rules if said agent receives 
from said server a deactivation instruction for said system. 

43. The authentication agent according to claim 35, wherein said processing means is 
operative for abolishing thfe established network connectivity rules if such system fails to 
transmit packets for a predetermined length of time. 
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